[ISN] Microsoft to build great wall of Yukon

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 02:01:46 PDT

  • Next message: InfoSec News: "[ISN] Security requires 'depth in datapath', AT&T researcher says"

    By Wylie Wong 
    Staff Writer, CNET News.com
    September 10, 2002, 1:50 PM PT
    Microsoft is aiming to shore up the security of its SQL Server
    database management software.
    The next version of SQL Server, code-named "Yukon," will include a
    long list of new security-related features when it debuts in 2003,
    said James Hamilton, SQL Server's design architect. He said that
    Microsoft's database team spent more than a month auditing the
    software code for security holes.
    Yukon will include the ability to more easily add security fixes,
    Hamilton said. Previously, database administrators had to install
    patches one at a time, a several-step process in which mistakes could
    be made, he added.
    The software will also by default disable public access to all
    "tables," or rows and columns of data, to prevent hackers from taking
    advantage of openings, Hamilton said. Microsoft has previously
    disabled public access by default in many scenarios, but it had
    previously left open access to some information, such as metadata
    information, he said. Metadata is the definition of the data in the
    "When a customer installs Yukon, it will be a secure install,"  
    Hamilton said. "It's a faster set-up of your system. You don't have to
    go through and assign security for everything. It's already set, and
    you can adjust it."
    Yukon also gives administrators more far-reaching control over giving
    people access to specific data. For example, right now a worker can be
    granted or denied access to see employee information such as names and
    phone numbers. But with the upcoming software, administrators can go a
    step further and give employees access to data of only other workers
    in the same department.
    "You can squeeze down the security more," Hamilton said.
    The database security check is part of a company-wide initiative set
    up by chairman Bill Gates to beef up security in all of Microsoft's
    products. The tech giant has long been plagued by glitches and
    security holes in its software, from Windows to the Internet Explorer
    browser. And SQL Server has had its share of woes, including a worm
    attack in May. Databases, which manage information, are prone to
    attacks by hackers who want corporate or Web site information such as
    credit card numbers.
    Microsoft has touted its next-generation database as having new data
    storage architecture intended to make it easier to find and use
    corporate data. In fact, a forthcoming version of Windows, code-named
    Longhorn, will use Yukon's data storage capability.
    Sheryl Tullis, Microsoft's product manager for SQL Server, said the
    company will also try to teach administrators the best practices for
    using the software through white papers and Webcast tutorials.
    "It's not just securing the code, but educating people on reducing
    risk to themselves," she said.
    The test version of Yukon is scheduled for release in early 2003, with
    final shipment slated for late in the year. Other features include
    support for Microsoft's .Net strategy and increased performance,
    reliability and manageability.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 04:39:04 PDT